diff --git a/reference/pdo/prepared-statements.xml b/reference/pdo/prepared-statements.xml
index b37dfa20d6..8f89cee0dd 100644
--- a/reference/pdo/prepared-statements.xml
+++ b/reference/pdo/prepared-statements.xml
@@ -5,9 +5,9 @@
Prepared statements and stored procedures
Many of the more mature databases support the concept of prepared
- statements. What are they? You can think of them as a kind of compiled
- template for the SQL that you want to run, that can be customized using
- variable parameters. Prepared statements offer two major benefits:
+ statements. What are they? They can be thought of as a kind of compiled
+ template for the SQL that an application wants to run, that can be customized
+ using variable parameters. Prepared statements offer two major benefits:
@@ -16,28 +16,28 @@
executed multiple times with the same or different parameters. When the
query is prepared, the database will analyze, compile and optimize it's
plan for executing the query. For complex queries this process can take
- up enough time that it will noticeably slow down your application if you
- need to repeat the same query many times with different parameters. By
- using a prepared statement you avoid repeating the
- analyze/compile/optimize cycle. In short, prepared statements use fewer
+ up enough time that it will noticeably slow down an application if there
+ is a need to repeat the same query many times with different parameters. By
+ using a prepared statement the application avoids repeating the
+ analyze/compile/optimize cycle. This means that prepared statements use fewer
resources and thus run faster.
The parameters to prepared statements don't need to be quoted; the
- driver handles it for you. If your application exclusively uses
- prepared statements, you can be sure that no SQL injection will occur.
- (However, if you're still building up other parts of the query based on
- untrusted input, you're still at risk).
+ driver automatically handles this. If an application exclusively uses
+ prepared statements, the developer can be sure that no SQL injection will
+ occur (however, if other portions of the query are being built up with
+ unescaped input, SQL injection is still possible).
Prepared statements are so useful that they are the only feature that PDO
- will emulate for drivers that don't support them. This ensures that you
- will be able to use the same data access paradigm regardless of the
- capabilities of the database.
+ will emulate for drivers that don't support them. This ensures that an
+ application will be able to use the same data access paradigm regardless of
+ the capabilities of the database.
@@ -118,12 +118,12 @@ if ($stmt->execute(array($_GET['name']))) {
- If the database driver supports it, you may also bind parameters for
+ If the database driver supports it, an application may also bind parameters for
output as well as input. Output parameters are typically used to retrieve
values from stored procedures. Output parameters are slightly more complex
- to use than input parameters, in that you must know how large a given
- parameter might be when you bind it. If the value turns out to be larger
- than the size you suggested, an error is raised.
+ to use than input parameters, in that a developer must know how large a given
+ parameter might be when they bind it. If the value turns out to be larger
+ than the size they suggested, an error is raised.
@@ -146,7 +146,7 @@ print "procedure returned $return_value\n";
- You may also specify parameters that hold values both input and output;
+ Developers may also specify parameters that hold values both input and output;
the syntax is similar to output parameters. In this next example, the
string 'hello' is passed into the stored procedure, and when it returns,
hello is replaced with the return value of the procedure.